When the log action is enabled for security checks or signatures, the resulting log messages provide information about the requests and responses that the Web App Firewall has observed while protecting your web sites and applications. The most important information is the action taken by the Web App Firewall when a signature or a security check violation was observed. For some security checks, the log message can provide additional useful information, such as the location and the detected pattern that triggered the violation. You can deploy security checks in non-block mode and monitor the logs to determine whether the transactions that are triggering security violations are valid transactions (false positives). If they are, you can either remove, or reconfigure the signature or security checks, deploy relaxations, or take other appropriate measures to mitigate the false positives before you enable blocking for that signature or security check. An excessive increase in the number of violation messages in logs can indicate a surge in malicious requests. This can alert you that your application might be under attack to exploit a specific vulnerability that is detected and thwarted by Web App Firewall protections.

Citrix ADC (Native) format logs

The Web App Firewall uses the Citrix ADC format logs (also called native format logs) by default. These logs have the same format as those generated by other Citrix ADC features. Each log contains the following fields:

Timestamp. Date and time when the connection occurred.

Severity. Severity level of the log.

Module. Citrix ADC module that generated the log entry.

Event Type. Type of event, such as signature violation or security check violation.

You can search for any of these fields, or any combination of information from different fields. Your selection is limited only by the capabilities of the tools you use to view the logs. You can observe the Web App Firewall log messages in the GUI by accessing the Citrix ADC syslog viewer, or you can manually connect to the Citrix ADC appliance and access logs from the command line interface, or you can drop into shell and tail the logs directly from the /var/log/folder.

Common Event Format (CEF) Logs

The Web App Firewall also supports CEF logs. CEF is an open log management standard that improves the interoperability of security-related information from different security and network devices and applications. CEF enables customers to use a common event log format so that data can easily be collected and aggregated for analysis by an enterprise management system. The log message is broken into different fields so that you can easily parse the message and write scripts to identify important information.

Logging geolocation in the Web App Firewall violation messages

Geolocation, which identifies the geographic location from which requests originate, can help you configure the Web App Firewall for the optimal level of security. To bypass security implementations such as rate limiting, which rely on the IP addresses of the clients, malware or rogue computers can keep changing the source IP address in requests. Identifying the specific region from where requests are coming can help determine whether the requests are from a valid user or a device attempting to launch cyberattacks. For example, if an excessively large number of requests are received from a specific area, it is easy to determine whether they are being sent by users or a rogue machine. Geolocation analysis of the received traffic can be very useful in deflecting attacks such as denial of service (DoS) attacks.

The Web App Firewall offers you the convenience of using the built-in Citrix ADC database for identifying the locations corresponding to the IP addresses from which malicious requests are originating. You can then enforce a higher level of security for requests from those locations. Citrix default syntax (PI) expressions give you the flexibility to configure location based policies that can be used in conjunction with the built-in location database to customize firewall protection, bolstering your defense against coordinated attacks launched from rogue clients in a specific region.

You can use the Citrix ADC built-in database, or you can use any other database. If the database does not have any location information for the particular client IP address, the CEF log shows geolocation as an Unknown geolocation.

Note: Geolocation logging uses the Common Event Format (CEF). By default, CEF logging and GeoLocationLogging are OFF. You must explicitly enable both parameters.

Using the command line to configure the log action and other log parameters

To configure the log action for a security checks of a profile by using the command line

At the command prompt, type one of the following commands:

set appfw profile <name> SecurityCheckAction ([log] | [none])

unset appfw profile <name> SecurityCheckAction

Examples

set appfw profile pr_ffc StartURLAction log

unset appfw profile pr_ffc StartURLAction

To configure CEF logging by using the command line

The CEF logging is disabled by default. At the command prompt, type one of the following commands to change or display the current setting:

set appfw settings CEFLogging on

unset appfw settings CEFLogging

sh appfw settings | grep CEFLogging

To configure the logging of the credit card numbers by using the command line

At the command prompt, type one of the following commands:

set appfw profile <name> -doSecureCreditCardLogging ([ON] | [OFF])

unset appfw profile <name> -doSecureCreditCardLogging

To configure Geolocation logging by using the command line

Use the set command to enable GeoLocationLogging. You can enable the CEF logging at the same time. Use the unset command to disable geolocation logging. The show command shows the current settings of all the Web App Firewall parameters, unless you include the grep command to show the setting for a specific parameter.

Customizing Web App Firewall Logs

Default format (PI) expressions give you the flexibility to customize the information included in the logs. You have the option to include the specific data that you want to capture in the Web App Firewall generated log messages. For example, if you are using AAA-TM authentication along with the Web App Firewall security checks, and would like to know the accessed URL that triggered the security check violation, the name of the user who requested the URL, the source IP address, and the source port from which the user sent the request, you can use the following commands to specify customized log messages that include all the data:

Configuring Syslog policy to segregate Web App Firewall logs

The Web App Firewall offers you an option to isolate and redirect the Web App Firewall security log messages to a different log file. This might be desirable if the Web App Firewall is generating a large number of logs, making it difficult to view other Citrix ADC log messages. You can also use this option when you are interested only in viewing the Web App Firewall log messages and do not want to see the other log messages.

To redirect the Web App Firewall logs to a different log file, configure a syslog action to send the Web App Firewall logs to a different log facility. You can use this action when configuring the syslog policy, and bind it globally for use by Web App Firewall.

Example:

Switch to the shell and use an editor such as vi to edit the /etc/syslog.conf file. Add a new entry to use local2.* to send logs to a separate file as shown in the following example:

local2.\* /var/log/ns.log.appfw

Restart the syslog process. You can use the grep command to identify the syslog process ID (PID), as shown in the following example:

root@ns\# **ps -A | grep syslog**

1063 ?? Ss 0:03.00 /usr/sbin/syslogd -b 127.0.0.1 -n -v -v -8 -C

root@ns# **kill -HUP** 1063

From the command line interface, configure the syslog action and policy. Bind it as a global Web App Firewall policy.

All Web App Firewall security check violations will now be redirected to the /var/log/ns.log.appfw file. You can tail this file to view the Web App Firewall violations that are getting triggered during the processing of the ongoing traffic.

root@ns# tail -f ns.log.appfw

Warning: If you have configured the syslog policy to redirect the logs to a different log facility, the Web App Firewall log messages no longer appear in the /var/log/ns.log file.

Viewing the Web App Firewall Logs

You can view the logs by using the syslog viewer, or by logging onto the Citrix ADC appliance, opening a UNIX shell, and using the UNIX text editor of your choice.

To access the log messages by using the command line

Switch to the shell and tail the ns.logs in the /var/log/ folder to access the log messages pertaining to the Web App Firewall security check violations:

Shell

tail -f /var/log/ns.log

You can use the vi editor, or any Unix text editor or text search tool, to view and filter the logs for specific entries. For example, you can use grep command to access the log messages pertaining to the Credit Card violations:

tail -f /var/log/ns.log | grep SAFECOMMERCE

To access the log messages by using the GUI

The Citrix GUI includes a very useful tool (Syslog Viewer) for analyzing the log messages. You have multiple options for accessing the Syslog Viewer:

To view log messages for a specific security check of a profile, navigate to Web App Firewall > Profiles, select the target profile, and click Security Checks. Highlight the row for the target security check and click Logs. When you access the logs directly from the selected security check of the profile, it filters out the log messages and displays only the logs pertaining to the violations for the selected security check. Syslog viewer can display Web App Firewall logs in the Native format as well as the CEF format. However, in order for the syslog viewer to filter out the target profile specific log messages, the logs must be in the CEF log format when accessed from the profile.

You can also access the Syslog Viewer by navigating to Citrix ADC > System > Auditing. In the Audit Messages section, click Syslog messages link to display the Syslog Viewer, which displays all log messages, including all Web App Firewall security check violation logs for all profiles. This is useful for debugging when multiple security check violations might be triggered during request processing.

The HTML based Syslog Viewer provides the following filter options for selecting only the log messages that are of interest to you:

File—The current /var/log/ns.log file is selected by default, and the corresponding messages appear in the Syslog Viewer. A list of other log files in the /var/log directory are available in a compressed .gz format. To download and un-compress an archived log file, just select the log file from the dropdown option. The log messages pertaining to the selected file are then displayed in the syslog viewer. To refresh the display, click the Refresh icon (a circle of two arrows).

Module list box—You can select the Citrix ADC module whose logs you want to view. You can set it to APPFW for Web App Firewall logs.

Event Type list box—This box contains a set of check boxes for selecting the type of event you are interested in. For example, to view the log messages pertaining to the signature violations, you can select the APPFW_SIGNATURE_MATCH check box. Similarly, you can select a check box to enable the specific security check that is of interest to you. You can select multiple options.

Severity—You can select a specific severity level to show just the logs for that severity level. Leave all the check boxes blank if you want to see all logs.

To access the Web App Firewall security check violation log messages for a specific security check, filter by selecting APPFW in the dropdown options for Module. The Event Type displays a rich set of options to further refine your selection. For example, if you select the APPFW_FIELDFORMAT check box and click the Apply button, only log messages pertaining to the Field Formats security check violations appear in the Syslog Viewer. Similarly, if you select the APPFW_SQL and APPFW_STARTURL check boxes and click the Apply button, only log messages pertaining to these two security check violations will appear in the syslog viewer.

If you place the cursor in the row for a specific log message, multiple options, such as Module, EventType, EventID, ClientIP, TransactionID, and so on appear below the log message. You can select any of these options to highlight the corresponding information in the logs.

Click to Deploy: This functionality is available only in the GUI. You can use the Syslog Viewer to not only view the logs but also to deploy relaxation rules based on the log messages for the Web App Firewall security check violations. The log messages must be in CEF log format for this operation. If the relaxation rule can be deployed for a log message, a check box appears at the right edge of the Syslog Viewer box in the row. Select the check box, and then select an option from the Action list to deploy the relaxation rule.
Edit & Deploy,
Deploy, and
Deploy All are available as Action options. For example, you can select an individual log message to edit and deploy. You can also select the check boxes for multiple log messages from one or more security checks and use the Deploy or Deploy All option. Click to Deploy functionality is currently supported for the following security checks:

StartURL

URL Buffer overflow

SQL Injection

XSS

Field consistency

Cookie consistency

To use Click to Deploy functionality in the GUI

In the Syslog Viewer, select APPFW in the Module options.

Select the security check for which to filter corresponding log messages.

Enable the check box to select the rule.

Use the Action drop-down list of options to deploy the relaxation rule.

Verify that the rule appears in the corresponding relaxation rule section.

Note:
SQL Injection and XSS rules that are deployed by using Click Deploy option do not include the fine grain relaxation recommendations.

Remote Logging—You can redirect the log messages to a remote syslog server.

Geolocation Logging—You can configure the Web App Firewall to include the geolocation of the area from where the request is received. A built-in geolocation database is available, but you have the option to use an external geolocation database. The Citrix ADC appliance supports both IPv4 and IPv6 static geolocation databases.

Information rich log message—Following are some examples of the type of information that can be included in the logs, depending on the configuration:

An Web App Firewall policy was triggered.

A security check violation was triggered.

A request was considered to be malformed.

A request or the response was blocked or not blocked.

Request data (such as SQL or XSS special characters) or response data (such as Credit card numbers or safe object strings) was transformed.

The number of credit cards in the response exceeded the configured limit.

The credit card number and type.

The log strings configured in the signature rules, and the signature ID.

Geolocation information about the source of the request.

Masked (X’d out) user input for protected confidential fields.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

THIS SERVICE MAY CONTAIN TRANSLATIONS POWERED BY GOOGLE. GOOGLE DISCLAIMS ALL WARRANTIES RELATED TO THE TRANSLATIONS, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF ACCURACY, RELIABILITY, AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

THIS SERVICE MAY CONTAIN TRANSLATIONS POWERED BY GOOGLE. GOOGLE DISCLAIMS ALL WARRANTIES RELATED TO THE TRANSLATIONS, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF ACCURACY, RELIABILITY, AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

THIS SERVICE MAY CONTAIN TRANSLATIONS POWERED BY GOOGLE. GOOGLE DISCLAIMS ALL WARRANTIES RELATED TO THE TRANSLATIONS, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF ACCURACY, RELIABILITY, AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

THIS SERVICE MAY CONTAIN TRANSLATIONS POWERED BY GOOGLE. GOOGLE DISCLAIMS ALL WARRANTIES RELATED TO THE TRANSLATIONS, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF ACCURACY, RELIABILITY, AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

THIS SERVICE MAY CONTAIN TRANSLATIONS POWERED BY GOOGLE. GOOGLE DISCLAIMS ALL WARRANTIES RELATED TO THE TRANSLATIONS, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF ACCURACY, RELIABILITY, AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.